CVE-2024-48057

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-48057

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48057.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-48057

Aliases

Downstream

SUSE-SU-2024:4042-1

openSUSE-SU-2024:14470-1

Related

Published

2024-11-04T23:15:04Z

Modified

2025-09-19T15:09:32.767927Z

Summary

[none]

Details

localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.

References

Affected packages

Git / github.com/mudler/localai

Affected ranges

Type: GIT
Repo: https://github.com/mudler/localai
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

a9c521eb41dc2dd63769e5362f05d9ab5d8bec50

Affected versions

v.*

v.1.24.0

v0.*

v0.1

v0.10.0

v0.2

v0.3

v0.4

v0.5

v0.6

v0.7

v0.8

v0.8.1

v0.9

v0.9.1

v0.9.2

v1.*

v1.0

v1.1.0

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.16.0

v1.17.0

v1.17.1

v1.18.0

v1.19.0

v1.19.1

v1.19.2

v1.2.0

v1.20.0

v1.20.1

v1.21.0

v1.22.0

v1.23.0

v1.23.1

v1.23.2

v1.24.1

v1.25.0

v1.3.0

v1.3.1

v1.3.2

v1.30.0

v1.4.0

v1.40.0

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.0.0_beta

v2.1.0

v2.10.0

v2.10.1

v2.11.0

v2.12.0

v2.12.1

v2.12.3

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.17.1

v2.18.0

v2.18.1

v2.19.0

v2.19.1

v2.19.2

v2.19.3

v2.19.4

v2.2.0

v2.20.0

v2.20.1

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v2.8.1

v2.8.2

v2.9.0